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How to Use This Guide 

This guide contains instructions on installing and using the PacketSight Information 
Source Module (ISM). It assumes a basic understanding of XACCTusage™ and its 
configuration and is intended to be used in conjunction with the XACCTusage User Guide. 

Document Conventions 

The following typographic conventions are used in this guide: 



Typeface 
or Symbol 


Meaning 


Example 


Italics 


References, new terms, 
and placeholders. 


For a more detailed description of how 
PacketSight works, refer to Chapter 1 of 
the XACCT PacketSight User Guide. 


Bold 


Names of menus, 
options, and command 
buttons. 


From the Type list, select PacketSight 
and then click Next, 



Contacting Technical Support 

You can contact technical support by: 

• Calling the number provided in your support agreement 

• Sending an email to support@xacct.com 

• Filling out the form available at http://www.xacct.com on the Web 
When sending an email, please supply the following information: 

• Your name and the name of your company (your customer ID) 

• Your contact information (telephone number and email) 

• Product name and version number 

• Problem description and any documentation that may help in resolving the problem 

• Operating system, available RAM, database version, and memory usage on the machine 
on which the product is installed 
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Overview 



Overview 



The PacketSight Information Source Module (ISM) is what XACCTusage uses to extract 
usage and QoS information from XACCT PacketSight. XACCT PacketSight retrieves 
information from network interface groups allowing you to collect statistical information 
about the traffic that passes through each interface. For additional information on XACCT 
PacketSight please refer to the XACCT PacketSight User Guide. 

The PacketSight ISM is a Data Collection Module (DCM). The PacketSight ISM collects 
information, processes it, and relays it to its associated Gatherer for further enhancement 
and storage. It serves as the trigger for Enhancement Procedures and initiates the flow of 
data through XACCTusage. 

The PacketSight ISM provides information for over 180 output fields. This enables you to 
track general information, such as Client and Server IP addresses, HTTP Response Time, 
and URL Domain names 
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Connecting With XACCT usage 

The PacketSight ISM uses XACCT PacketSight as its Information Source. XACCT 
PacketSight reads packets from the network. The PacketSight ISM polls XACCT 
PacketSight in regular intervals to collect data. The PacketSight ISM converts the data into 
a Unified Network Information Record (UNIR). The LTNIR is then pulled into 
XACCTusage by the Gatherer. 

The Gatherer can then process and forward the UNIR to either of the following: 

• Data Processing Module (DPM) 

• Central Event Manager (CEM) 

An example of a DPM is the Aggregator ISM. The Aggregator ISM reduces the amount of 
data flowing through the system by outputting only the most relevant information 
determined by you. 

The data can also be enhanced by a Data Enhancement Module (DEM). An example of a 
DEM is the Session ISM. The Session ISM tags flows with identifiers (ID) to determine, 
among numerous other things, the duration of site visits. 
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Features of the PacketSight ISM 

This section summarizes some of the features of the PacketSight ISM. 

Note: To start using the PacketSight ISM, you must install the software on the CEM host 
and then configure the ISM. 

The PacketSight ISM provides you with these features: 

• Automated interface selection. You do not have to add the interfaces from which 
you want the ISM to collect data when you configure the ISM. The ISM will monitor 
all the interfaces that are specified by XACCT PacketSight. This is convenient 
because it saves you the time and effort of adding interfaces manually. In addition to 
this, if new interfaces are added to the device, the ISM will automatically start 
monitoring them, eliminating the need for reconfiguring it. 

• A rich array of output fields. The PacketSight ISM has many output fields allowing 
you to collect a rich array of data, including data such as Client IP, URL Domain, 
and many others. See the section "PacketSight ISM Output Fields" for a complete 
list. 

• Performance Metrics. The PacketSightn ISM enables the activation of specific 
Performance Metrics within the XACCT PacketSight Analyzer. 

• Event Handling. The PacketSight ISM polls on pre-configured cycles for Events 
from the XACCT PacketSight Analyzer. 

Data Enhancement. The data polled is enhanced by adding timestamps, host domain 
exceptions, and more. 



Information Source Setup 

XACCT PacketSight must be installed and reading from the network interface group. For 
instructions on how to install and configure XACCT PacketSight, please refer to the 
XACCT PacketSight User Guide. 
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Installing the PacketSight ISM 

You can install the PacketSight ISM on Sun Sparc systems running Solaris. You install the 
ISM on the Central Event Manager (CEM) host using the basic procedure for installing 
Information Source Modules. 

To run the PacketSight Information Source Module (ISM) installation program, you need 
root user access rights for the host on which the Central Event Manager is installed. 

To run the Module installation program 

1 Log in as root user. 

2 Copy the PacketSight.tar.Z file from the CD-ROM to your /tmp directory. 

3 Entered /tmp to change to your tmp directory. 

4 Extract the files from the compressed distribution file by executing the following 
command: 

zcat PacketSight.tar.Z | tar xvf - 

5 Execute the following command: 
. /xacct_upgrade 

The XACCTusage installation program starts. The program runs automatically 
informing you of the actions performed and asking you to confirm and select options. 

6 When prompted to read the End-user License Agreement, press Enter to display the 
text. 

7 Read the End-user License Agreement. 

8 Do one of the following: 

• Type y and press Enter, if you agree with the terms of the End-user License 
Agreement. The installation program proceeds to the next step. 

• Type n and press Enter, if you do not agree with the terms of the End-user 
License Agreement. The installation program shuts down. 

If you accepted the terms of the End-user License Agreement, the list of components 
you can install displays. 
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XACCTusage Module Installation 

You may choose components that will not be installed, by- 
selecting their number or you can press c to continue, q to 
quit 

Install Name Description 



1 Yes PacketSight 
Your selection : c 

9 Select the components you want to install following the instructions on your screen. 
Use the following procedures to enter your selection. 

• To change the installation status of a system component on the list (to alternate 
between Yes and No), type the number of the component and press Enter. 

• To continue with installation, type c and press Enter. The components selected 
to be installed (marked with Yes) will be installed. 

• To quit the installation program, type q and press Enter. 

The selected components are installed. If installation is successful, the Central Event 
Manager sends the modules you have installed to the appropriate host or hosts. If 
installation is not successful, you get a notification with a description of the problem. 
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Adding a PacketSight ISM to the XACCJusage Configuration 

In order to use the PacketSight ISM, you must add an instance of it to the system 
configuration. You add the PacketSight ISM to its associated Gatherer. 

To add the PacketSight ISM, you need the following: 

• Administrator or Manager access rights to the system. 

• License to use the PacketSight Information Source Module installed. (See the section 
"Installing Licenses" in the XA CCTusage User Guide for details.) 

• The Gatherer that the PacketSight ISM will be associated with, configured in the system. 

To add the PacketSight Information Source using the shortcut menu 

1 In the XACCTusage tree, right-click the Gatherer to which you want to add the 
PacketSight Information Source, and then click New Information Source. The 
Information Source Configuration wizard is displayed. 
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Adding a PacketSight ISM to the XACCTusage Configuration 



2 In the Name box, type a unique name for this Information Source. 



pfrj Infoimation Soutce Configuration 




JWaning: Applet Window 



3 From the Type list, select XACCT PacketSight. 
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4 Click Next. The next screen may take a minute or two to display as the ISM is now 
being downloaded to the Gatherer. This screen is used if you would like to import a 
configuration from a previous PacketSight ISM setup. To import the XML file, check 
the Yes button, and enter the path of the XML file containing the configuration 
information. Click Finish to import the file. 

Click the No button if you do not have an XML configuration you would like to im- 
port, and would like to use the default configuration currently stored in the database. 
If there is no configuration stored in the database, the No button will be grayed out, 
and you will need to define the path of an XML file to import. 
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Initial Setup 



For the initial setup of the PacketSight ISM, the No button is grayed out. You can ei- 
ther enter a path containing an XML configuration, or click Finish without specifying 
a path. 

When you click Finish without specifying a path, the following window appears: 



XACCTusage 



♦silt- - : The;specifiediconflguration;doesK« 

Warning: Applet Window 



Click Yes to accept the PacketSight ISM default XML configuration, or click No to 
return to the previous screen. 



13 




PacketSight ISM Guide (Preliminary) 



Using XML to Configure the PacketSight ISM 

The following two files are included with the PacketSight ISM and are used to configure 
the fields: 

• PacketSightlsm.dtd: Defines the Document Type Defintion (DTD) for the 
PacketSight configuration file. 

• PacketSightlsm.xml: Contains the initialization configuration information of each 
field and points back to the PacketSightlsm.dtd file. 

Once the PacketSightlsm.xml file is configured, you can use it to configure all other 
PacketSight ISMs on different Gatherers by importing the file. To configure the file you 
need a basic understanding of the extensible Markup Language (XML) and an XML 
editor. For more information about XML and DTD, please refer to one of the following 
sites: 

http://www.w3.org/XML 
http://www.xml.org 
http://www.xml 1 0 1 .com 

The tables on the following pages provide the parameters and switches for each of the 
elements. 
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Data Collecting Elements 



Elements 


Description 


Attributes 


Default 


Probe ID 


Overrides default 
PROBEJD. 


Ranges from 0 to 4294967295 (Max INT32) 


If 0, then Host 
ID 


LogConfig 
Verbosity 


oeis ine lug vcruuioiy. i nc 
level of log information 
written to the log file. 


nFRHf?* niitnnta mnst information slioht 

UtDw^7> UUIUUm IIIUOl 1 1 ilv/l 1 1 lull v/i i ] i^iiv^iii 

reduction in performance. 

INFO: outputs ISM performance metric 
information to log file, slight reduction in 
performance. 

ERROR: outputs error messages only. No 
reduction in performance. 


ERROR 


Log Config 
Path 


Sets file path for the log to be 
written. 


Any valid file path on hard disk. 


../Log/PacketS 
ightlsm.log 


Regular 

Polling 

Interval 


Frequency in which all flows 
are to be pulled from the 
engine.The interval is 
synchronized to the hour and 
must divide evenly into 60. 


1, 2, 3, 4, 5, 6, 10, 12, 15, 20, 30, and 60 
minutes 


30 minutes 


EventPolling 
Interval 


Frequency specified event 
flows are extracted from the 
engine. 


This value is synchronized to the hour, and 
must divide evenly into the 
RegularPollinglnterval field. 


60 seconds 
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Event Elements 



Event Elements configure the type of flows to pull from the engine during an event polling 
cycle. If not event is specified, then the Event polling is turned off, and the 
EventPollinglnterval field is not used. 



Elements 


Description 


Attributes 


StartEvent 


Gets only start flows 
out of the engine. 


none 


DoneEvent 


Gets only done flows 
out of the engine. 


none 


RangeEvent 


Gets flows out of the 
engine for range 
events. 


ARG: Argument to which this range event applies (e.g. "BYTECNT" for 
"total byte count"). 

OP: The operator apply (e.g. "ARTHGT" for "arithmetic greater than"). 

VALUE: The value to compare against (e.g. "10000") 

The following argument will get flows with bytecounts greater than 

10000: 

<RangeEvent ARG="BYTECNT" OP="ARTHGT" VALUE="100007> 
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Domain Elements 

The PacketSight ISM processed every HTTP Host request, and extracts the domain name 
based on the rules defined in RFC 1591 and other Internet RFCs. It takes into account the 
country code provided in the CountryCode file. 

If the DomainException file exists, domain names in this file are not extracted and the full 
Host name is used. This allows you to distringuish between a specific list of domains to the 
rest fo the domain names. This is used when you would like to have a break down of 
categories. 

Examples of domain extraction: 

www.xacct.com => xacct.com 
travel.americanexpress => americanexpress.com 
my.yahoo.com => yahoo.com 
Example of a domain that will not be extracted if in the DomainException file: 



travel.americanexpress.com => travel.americanexpress.com 



Elements 


Description 


Attributes 


Default 


Domain STATE 


Specifies how the 
PacketSight ISM should 
determine the Domain given a 
host name. 


On or off. Setting this 
to "off " will disable the 
processing for the 
domain. 


Off 


DomainException 
Interval 


Interval that the PacketSight 
ISM parses the 
DomainException.txt file 




12 hours 


DomainExceptionFile 


Location of the domain 
exceptionfile. 


Any valid file path on 
the hard disk 


Path relative to the home 
directory of the 
XACCTusage Gatherer. 


CountryCodesFile 


File containing all of the 
Country Codes. 


Any valid file path on 
the hard disk 


Path relative to the home 
directory of the 
XACCTusage Gatherer. 
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Probe Attributes 

The following fields have been grouped together into logical blocks. This makes it easier 
to turn on and off entire groups of fields at one time. Turning a Group on/off will turn on/off 
all fields in that group. If the Group is "on", then individual fields can be turned on/off by 
setting the STATE for that field (e.g. <Field NAME-"PS_Timestamp_Local" 
STATE="ofT7>). 

Sample Groupings are Timestamps and Service. Descriptions of these fields can be found 
in the PacketSight ISM Output Fields section. 

Timestamps Group 

Fields contained in the Timestamps Group. 

PS_Timestamp_Local 

PSJTimestampJJTC 

PS_Timestamp_Begin 

PS_Timestamp_Update 

PS_Timestamp_End 

PS_Time_Zone_Code 

PS_Time_Zone_Bias_From_UTC 

PS_Local_Standard_Time_Zone 

PS_Local_DST_Time_Zone 

PS_Day_Light_Saving_Time_Flag 

Services Group 

Fields contained in the Service Group: 



PS_ 


.Servi 


ce_ 


.Protocol 


PS_ 


.Servi 


ce. 


_R1 


PS. 


.Servi 


ce_ 


R2 


PS. 


_Servi 


ce_ 


_R3 


PS. 


.Servi 


ce. 


_R4 


PS. 


.Servi 


ce. 


_R5 


PS. 


_Servi 


ce. 


R6 


PS. 


_Serv 


ce. 


_R7 


PS. 


_Serv 


ce_ 


_R8 


PS. 


_Serv 


ce_ 


_R9 


PS. 


_Serv 


ice_ 


_R10 


PS. 


_Serv 


ice_ 


_RH 


PS. 


_Serv 


ice. 


_R12 
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Protocols 

The Protocol elements specify for which protocols the PacketSight ISM should extract 
specific attributes. Supported Protocols are HTTP, EMAIL, FTP, RTSP, and NNTP. 
Unless otherwise specified, turning on/off a protocol will turn on/off all fields for that 
protocol. Each protocol contains a list of output fields/attributes associated with the 
protocol. Turning on individual fields for a given protocol will automatically specify the 
field to be an output field. 

HTTP Related Fields 

PS_HTTP_Domain 

PS_HTTP_Host 

PS_HTTP_Path 

PS_HTTP_Path_Extension 

PS_HTTP_Response_Code 

PS_HTTP_MIME_Type 

PS_HTTP_MIME_Subtype 

EMAIL Related Fields 

PS_Email_Incoming 
PS_Email_Outgoing 
PS_Recipient_Number 

FTP Related Fields 

PS_Data_User_Name 

PS_Anonymous_Flag 

PS_Filename 

P S_Files_Do wnloaded 

PS_Files_Uploaded 



19 



PacketSight ISM Guide (Preliminary) 



RTSP Related Fields 

PS_RTSP_Domain 

PS_RTSP_Host 

PS_RTSP_Path 

PS_RTSP_Path_Extension 

PS_Media_Player 

PS_Media_Type 

NNTP Related Fields 

PS_Articles_Posted 
PS_Articles_Read 
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Performance Metrics 

This section contains information for turning on/off different performance metrics in the 
the PacketSight core. For further information on Performance Metrics, please refer tot he 
XACCT PacketSight User Guide. The performance metrics are divided into the following: 

• PerformanceMetricCount: metrics that only consist of a counter. 

• PerformanceMetricFull: metrics with the full set of statistics (N, Min, Max, Sum X, 
Sum X2, and sum IX) 

Count Performance Metrics 

The Count Performance Metric is a simple count that can be turned on or off by setting the 
STATE attribute (e.g. <PerformanceMetricCount NAME="PM_CS_ConnectionRetrans" 
STATE="on'7>), The following six metrics are Count Performance Metrics: 

PM_CS_ConnectionRetrans 

PM_SC_ConnectionRetrans 

PM_CS_ConnectionOutOfOrders 

PM_SC_ConnectionOutOfOrders 

PM_CS_ConnectionClosedWindows 

PM_S C_Connect ionclosed Windows 



Configuring 
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Full Performance Metrics 

Each Full Performance Metric can have the following attributes: 

N number of events (e.g., number of data packets) 

Min X smallest value seen (e.g., smallest amount of data seen in a packet) 

Max X largest value seen (e.g., largest amount of data seen in a packet) 

Sum X sum of all values (e.g., total amount of data in all packets) 

Sum X2 sum of the squares of each value (computes standard deviation) 

Sum IX sum of each sequence index (1,2, ...n) times its corresponding value 

Each Full Performance Metric can be turned on or off. By default, all 6 Performance Metric 
attributes are off. Each Full Performance Metric can be turned on or off by setting the 
STATE attribute. The following metrics are Full Performance Metrics: 



PM_ConnectionEstablishment 


PM_ 


_cs_ 


.ART. 


_ES 


PM_ConnectionGracefulTermination 


PM. 


_CS. 


.ART. 


_SE 


PM_ConnectionTimeoutTermination 


PM_ 


CS. 


ART 


„ss 


PM_CS_ConnectionWindows 


PM_ 


.sc_ 


ART 


_ES 


PM_SC_ConnectionWindows 


PM_ 


_sc 


.ART 


_SE 


PM_CS_Message_Jitter 


PM_ 


_SC_ 


ART. 


ss 


PM„SC_Message_Jitter 


PM_ 


CS„ 


ERT_ 


ES 


PM_CS_Stream_Jitter 


PM. 


_CS_ 


_ERT_ 


.SE 


PM_SC_Stream_Jitter 


PM. 


_CS_ 


_ERT_ 


_SS 


PM_CS_Hop_Count 


PM_ 


.SC. 


ERT_ 


ES 


PM_SC_Hop_Count 


PM_ 


_sc_ 


_ERT_ 


SE 




PM. 


_sc. 


_ERT_ 


_ss 
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PacketSight ISM Output Fields 

The PacketSight ISM provide over 180 fields. This allows you to control which fields will 
be defined by the PacketSight ISM for future enhancement or insertion into the Database. 
They have been broken down into the following categories: 

• Performance Metrics 

• Additional Performance Metrics 

• General Fields 

• HTTP 

• FTP 

• RTSP 

• NNTP 

• POP3 

• SMTP 

• Email 

• Session 

Performance Metrics 

These fields all have the following six metrics: 

N number of events (e.g., number of data packets) 

Min X smallest value seen (e.g., smallest amount of data seen in a packet) 

Max X largest value seen (e.g., largest amount of data seen in a packet) 

Sum X sum of all values (e.g., total amount of data in all packets) 

Sum X2 sum of the squares of each value (computes standard deviation) 

Sum IX sum of each sequence index (1,2, ...n) times its corresponding value 
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Jitter Metrics 

The Performance Metrics described in this section defines jitter as being the variance of the 
data packet observation time (e.g., the observed inter-data packet gap). It focuses solely on 
data arrival time. The Metric contains information about the Jitter (Inter-Packet Gaps) 
measured for data packets for a given application between two communicating end-points. 



Field Name 


Description 


PS CS Msg Jitter 


Measures the jitter for packets within data messages being exchanged from the Client to 
Server. Provides useful information about the performance of traffic in message-oriented 
(request/response) conversationsA data message starts with the fist data packet from the 
client to the server and is demarcated (or terminated) by the first subsequent data packet 
in the other direction. Client to Server Inter-Packet Gaps are measured between data 
packets within the message. 


PS SC Msg Jitter 


Same as PS CS Msg Jitter, only Server to Client. 


PS CS Strm Jitter 


Measures the jitter for data packets being transferred from the Client to the Server. Client 
to Server Inter-Packet Gaps are measured between all data packets within the data 
stream. Provides useful information about the performance of traffic in conversations with 
independent, bi-directional data streams. 


PS SC Strm Jitter 


Same as PS CS Strm Jitter, only Server to Client. 
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Exchange Response Metrics 

Exchange Response Metrics consider the raw data streams of conversations when 
measuring response-time. They consider only the relative transfers of data packets without 
any further interpretation of the packets. 

Exchange Response starts with the abstraction of a communicated exchange-message. An 
exchange-message is considered to start with a series of adjacent data packets transferred 
in a given direction (exchange message request). The end of such a message is defined to 
be the transfer of one or more adjacent data packets in the other direction (exchange 
message response). 

The advantages of the Exchange Response set of metrics are that they: 

• Can be applied uniformly to connectionless traffic 

• Are very low in execution overhead to assess and detect. 
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Field Name 


Description 


PS CS ERT SS 


Client to Server Exchange Response Time Start to Start. Measures the response time 
between the start of data messages from the Client to the Server and the start of their 
subsequent response data messages from the Server to the Client. A Client to Server data 
message starts with the first data packet from the Client to the Server and is demarcated (or 

tnrmin^taH\ Hw tha flrct ci ihcom iont rlata narlfpt in thp nthpr rlirpftinn Thp total timp hpfween 
lerminaicU ) DV INC Tirol oUUool»|Uei 11 UcUd |JaLfl\oi ill u ic uu ici um coiiui i . i mc iwiai in 1 10 ucivv^i i 

the start of the Client to Server data message and the start of the Server to Client data 
message is measured with this metric. 


PS CS ERT ES 


Client to Server Exchange Response Time End to Start. Same as PS CS ERT SS, only 
End to Start. 


PS CS ERT SE 


Client to Server Exchange Response Time Start to End. Same as PS CS ERT SS, only 
Start to End. 


PS SC ERT SS 


Server to Client Exchange Response Time Start to Start. Measures the response time 
between the start of data messages from the Server to the Client and the start of their 
subsequent response data messages from the Client to the Server. A Server to Client data 
message starts with the first data packet from the Server to the Client and is demarcated (or 
terminated) by the first subsequent data packet in the other direction. The total time between 
the start of the Server to Client data message and the start of the Client to Server data 
message is measured with this metric. 


PS SC ERT ES 


Server to Client Exchange Response Time End to Start. Same as PS SC ERT SS, only 
End to Start. 


PS SC ERT SE 


Server to Client Exchange Response Time Start to End. Same as PS SC ERT SS, only 
Start to End. 
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Application Response Metrics 

Application Response Metrics build on the Exchange Response Metrics to consider the 
sequenced data streams of conversations when measuring response-time. They consider 
only the relative transfers of data packets that increase the sequence space for their 
direction of transfer. 

Application Response starts with the abstraction of a communicated application-message. 
An application-message is considered to be a series of adjacent data packets transferred in 
a given direction and increasing the sequence space for that direction (application message 
request). The end of such a message is defined to be the transfer of one or more adjacent 
data packets increasing the sequence space in the other direction (application message 
response). Only initial (original) transmissions of data packets are considered within the 
scope of application response measurements. 

The advantages of the Application Response set of metrics are: 

• Can be applied uniformly to connection-oriented traffic. 

• Modest execution overhead to assess and detect. 

• These metrics try to avoid having to distinguish retransmissions from out-of-order 
packets. This is to avoid the concomitant overhead of duplicate detection within the 
scope of this metric. 

• Are not skewed by retransmitted (duplicate) or out-of-order data packets. 



27 




PacketSight ISM Guide (Preliminary) 



Field Name 


Description 


PS ART SS 


Contains information about the Transport-level response time measured for message 
interactions of a given application between two communicating end-points. Measures the 
response time between the start of application messages from the Client to the Server and 
the start of their subsequent application message responses from the Server to the Client. 
A Client to Server application message starts with the first sequence-space increasing 
Transport Protocol Data Packet/Unit (TPDU) of a request from the Client to the Server and 
is demarcated (or terminated) by the first subsequent sequence-space increasing data 
packet of the response to the request. The total time between the start of the Client to the 
Server application message request and the start of the associated response from the 
Server to the Client is measured with this metric. 


ART 

i O ww nr\ 1 Cw 


Client to Server Annlication Resoonse Time End to Start Same as PS CS ART SS, only 
End to Start. 


P^ ART 

r w ww ni\l 


Client to Server Application Response Time Start to End. Same as PS CS ART SS, only 
Start to End. 


PS SC ART SS 


Contains information about the Transport-level response time measured for message 
interactions of a given application between two communicating end-points. Measures the 
response time between the start of application messages from the Server to the Client and 
the start of their subsequent application message responses from the Client to the Server. 
A Server to Client application message starts with the first sequence-space increasing 
Transport Protocol Data Packet/Unit (TPDU) of a request from the Server to the Client and 
is demarcated (or terminated) by the first subsequent sequence-space increasing data 
packet of the response to the request. The total time between the start of the Server to the 
Client application message request and the start of the associated response from the Client 
to the Server is measured with this metric. 


PS SC ART ES 


Server to Client Application Response Time End to Start. Same as PS SC ART SS, only 
End to Start. 


PS SC ART SE 


Server to Client Application Response Time End to Start. Same as PS SC ART SS, only 
Start to End. 
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Connection Metrics 

The PacketSight ISM supports Connection Metrics to report establishment and termination 
measures for conversations over reliable, connection-oriented Transport Protocols (e.g., 
TCP, SPX, etc.). 



Field Name 


Description 


PS Conn 
Establish 


Connection Establishment: Measures the number of connections established between 
end-points. Including: 

• Number of transport connections successfully established 

• ^ot-im timpQ r»f thp p^tahli^hpd mnnprtions 
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• Sum total of all the setup times for each connection. 

• Average setup time 


PS Conn Graceful 
Term 


Connection Graceful Termination: Measures gracefully terminated connections both in 
volume and summary connection duration. Including: 

• Number of gracefully terminated transport connections 

• Durations (lifetimes) of gracefully terminated connections 

• Sum of the total durations for all the connections 

• Average duration 


PS Conn Timeout 
Term 


Connection Timeout Termination: Measures previously established and timed-out 
connections both in volume and summary connection duration. Including: 

• Number of time-out transport connections 

• Durations (lifetimes) of timed-out terminated connections 

• Sum of the total durations for all the connections 

• Average duration 
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Connection Window Metrics 

The PacketSight ISM supports Connection Sequence Metrics to report windowing 
performance measures for conversations over reliable, connection-oriented Transport 
Protocols (e.g. TCP, SPX, etc.). 



Field Name 


Description 


PS CS Conn Window 


Client Server Connection Window: Measures the number of transport-level packets 
containing windows from the Client to the Server and their relative window sizes. For 
some Transport Protocols the number of data packets may be estimated by taking the 
difference between the Window count of this metric and the overall traffic from the Client 
to the Server 


PS SC Conn Window 


Server Client Connection Window: Same as PS CS Conn window, only Server to 
Client. 


PS CS Conn Closed 
Windows 


Client Server Connection Closed Windows: Measures number of Transport-level 
Windows from Client to Server within established connection lifetimes, which fully 
closed the acknowledge/sequence window. 


PS SC Conn Closed 
Windows 


Server Client Connection Closed Windows: Same as PS CS Conn closed Windows, 
only Server to Client. 
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Additional Performance Metrics 
Connection Sequence Metrics 

The PacketSight ISM supports Connection Sequence Metrics to report sequencing 
performance measures for conversations over reliable, connection-oriented Transport 
Protocols (e.g., TCP, SPX, etc.). 



Field Name 


Description 


PS CS Conn Retrans 


Client Server Connection Retransmissions: Measures number of actual events 
within established connection lifetimes in which transport, data-bearing packets from the 
Client to the Server were retransmitted. 


PS SC Conn Retrans 


Server Client Connection Retransmissions: Measures number of actual events 
within established connection lifetimes in which transport, data-bearing packets from the 
Server to the Client were retransmitted. 


PS CS Conn Out of 
Orders 


Client Server Connection Out of Orders: Measures the number of actual events within 
established connection lifetimes in which transport, data-bearing packets from the Client 
to the Server were detected as being out of sequential order. 


PS SC Conn Out of 
Orders 


Server Client Connection Out of Orders: Measures the number of actual events within 
established connection lifetimes in which transport, data-bearing packets from the 
Server to the Client were detected as being out of sequential order. 
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Routing Metrics 

The PacketSight ISM supports metrics to report routing performance measures for 
Network Layer protocols supporting routing information capabilities. 



Field Name 


Description 


PS CS Hop 
Count 


Client Server Hop Count: Measures the Hop Count (or routing distance measure) for 
Network-layer packets from the Client to the Server. Some network-layer protocols do not 
include routing distance values in their routing definitions. This metric will not be available or 
reported for traffic observed for such network-layer protocols. 


PS SC Hop 
Count 


Server Client Hop Count: Same as PS CS Hop Count only Server to Client. 



General Fields 



Field Name 


Description 


Event Type 


Type of flows to pull from the XACCT PacketSight engine during an event polling 
cycle. The different events are Start, End, and Range. 


Client IP Address 


The IP address that was assigned to the user for dialup of the permanent IP 
address for the client. 


Server IP Address 


IP address of server sending data. 


PS Src MAC Address 


Source MAC Address 


PS Dst MAC Address 


Destination MAC Address 


PS Probe ID 


Unique identifier for the probe that generated the data. Assigned by the Probe ID 
parameter in the XML file. 


PS Time Zone Bias From 
UTC 


The difference in seconds between the local time zone and the UTC (GMT) time 
zone. 


PS Day Light Saving 
Time Flag 


True, if it is day light savings time. 


PS Local Standard Time 
Zone 


Dependent upon the location of the PacketSight Analyzer. 
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Field Name 


Description 


PS Local DST Time Zone 


Dependent upon the location of the PacketSight Analyzer. 
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daylight-time flag, (e.g., EST (UTC - 5 hours, standard time) is -5*2*2 = -20) 


PS Response Time 


Time between when the first HTTP request packet is sent and when the first 
response packet from the server is received. 


PS CS Response Time 


Client to Server Response time. 


PS SC Response Time 


oerver to unent Kesponse nme. 


PS Service Protocol 


The network protocol of the flow (e.g. HTTP, TCP, and UDP) 


PS URL Host 


The hostname, if available, normalized to all lower-case. 


PS URL Path 


Entire path of the URL (e.g. www.xacct.com/careers/logo.gifwould be 
/careers/logo.gif) 


PS URL Domain 


The domain (or site) derived from the hostname, (e.g. xacct.com) 


PS Begin Time 


Timestamp of the first packet seen in a flow. The value is the number of 
nanoseconds since January 1, 1970. 


PS Update Time 


Timestamp of the last packet seen in a flow. The value is the number of 
nanoseconds since January 1, 1970. 


PS End Time 


Timestamp of the last packet seen for the done flow. For TCP flows, it is the 
timestamp of the last observed flow, but it is possible for more flows due to 
time-outs or subflows. The value is the number of nanoseconds since January 1, 
1970. 


PS Service R1 (R1-R12) 


Twelve separate fields. R1 is the first part on the right of Data_Service. Fields R12 
is the twelfth part on the right of Data_Service. For example: 
ether2.ip-v4.tcp.http.text.html would be broken down as the following: 

R1=html 

R2=text 

R3=http 

R4=tcp 

R5=iv-v4 

R6=ether2 
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Field Name 


Description 


PS MIME Type 


Content type or media type of downloaded content, (e.g. text, image, application) 


PS MIME Sub Type 


Mime sub type (e.g. TIF, GIF, VPIM) 


PS URL Path Extension 


File extension of the URL. For example, gif would populate the field if the user went 
to www.xacct.com/careers/logo.gif. 


PS Timestamp Local 


Timestamp of the flow in local time. 


PS Timestamp UTC 


Timestamp of the flow in UTC (GMT) time. 


PS Data User Name 


Login name of the user for an FTP session. 


PS Server Port 


Server protocol port number (e.g. 80 for HTTP). 


PS Client Port 


Client protocol port number. 


PS CS Connection 
Resets 


Measures the Client to Server TCP connection resets. 


PS SC Connection 
Resets 


Measures the Server to Client TCP connection resets. 


PS HTTP Response Code 


Status code returned by web servers when a web page is requested. 


PS Service 


The name of the protocol (e.g. ether2). 


ro Uo raCKetS 
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traffic measured for a given application between two communicating end points, 
from the client to server. 


PS SC Packets 


Traffic packet count from server to client. Contains information about the volume of 
traffic measured for a given application between two communicating end points, 
from the server to client. 


PS CS Bytes 


Volume of traffic measured for a given application between two communicating end 
points, from the client to the server. Indicates the byte count of traffic corresponding 
to the number of packets indicated by the PS CS Packets metric. 


PS SC Bytes 


Volume of traffic measured for a given application between two communicating end 
points, from the server to the client. Indicates the byte count of traffic corresponding 
to the number of packets indicated by the PS SC Packets metric. 


PS Flow ID 


A unique ID for a flow. 
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Field Name 


Description 


PS Parent Flow ID 


A unique ID for a parent flow. Used for multiple flows in a session, (e.g., an http 
session starts multiple gifs download sessions) 


PS Aggregation Flag 


Only used internally with XACCJusage. It flags the field to specify whether or not it 
should be aggregated. 
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Session ISM Fields 

Use the following fields in conjunction with the Session ISM. 



Field Name 


Description 


PS Client Session 


Assigns Session IDs to Client Sessions. 


PS Server Session 


Assigns Session IDs to Server Sessions. 


PS Site Session 


Assigns Session IDs to Site Sessions. 



RTSP Fields 



Field Name 


Description 


PS Media Type 


Extracts Media Player URL. 


PS Media 
Player 


Establishes mapping for Media Player URL. 


PS Packets 
Dropped 


Number of packets dropped. 



Email Fields 



Field Name 


Description 


PS Email 
Incoming 


Number of incoming emails. 


PS Email 
Outgoing 


Number of outgoing emails. 


PS Recipient 
Number 


Number of recipients of email. 
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FTP Fields 



Field Name 


Description 


PS Files Uploaded 


Number of files uploaded. 


PS Files 
Downloaded 


Number of files downloaded. 


PS Filename 


Name of file uploaded or downloaded. 


PS Anonymous 
Flag 


This is true if the PS Data Username field is Anonymous. 



NNTP Fields 



Field Name 


Description 


PS Articles 
Read 


Number of articles read. 


PS Articles 
Posted 


Number of articles posted. 


PS Newsgroup 


Name of Newsgroup. 
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Glossary 

CEM: See Central Event Manager. 

Central Event Manager (CEM): A component of X ACCTusage that coordinates, 
manages, and controls the operation of the system. 

Data Collection Module (DCM): (Formerly called Asynchronous Information Source 
Module.) A type of Information Source Module that provides data from the network 
elements, for example, the Check Point FireWall-1 ISM. 

DCM: See Data Collection Module. 

Data Enhancement Module (DEM): (Formerly called Synchronous Information Source 
Module.) A type of Information Source Module that enhances the data gathered from 
the network elements, for example, the DNS ISM. 

DEM: See Data Enhancement Module. 

Enhancement Procedure: The set of operations that define the route of the network 
session record from the Information Source that supplies the initial data (the trigger of 
the Enhancement Procedure) to the place where the data is stored (the target). The 
Enhancement Procedure includes Field Enhancements on every field of the target that 
receives information originating from the trigger. 

Field Enhancement: Part of an Enhancement Procedure that defines how the data obtained 
from its trigger is used to fill a single field in the target. 

Gatherer: A component of XACCTusage whose main function is to collect network traffic 
data from the Information Sources located on the network. The Gatherers defined are 
multi-threaded lightweight smart-agents designed to run on non-dedicated hosts as 
background processes. 

Information Source (IS): 1. A network device or application server from which 

XACCTusage collects network session data. An Information Source can be a mail 
server, a firewall, a router, a DNS server, and the like. 2. An instance of an Information 
Source Module that is part of the XACCTusage configuration and hence is a system 
configuration object. For example, an Information Source of type DNS, called 
dns-xacct, which is part of the XACCTusage configuration and appears as an object 
in the XACCT tree. 
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Information Source Module (ISM): An add-on to XACCTusage whose function is to 
provide an interface between a Gatherer and a specific network element. 

IP address: Internet Protocol address. A 4-byte address that uses numbers (rather than 
names) and uniquely identifies a host computer on the Internet, for example, 
200.201.32.1. The IP address can be split into a network number (or network address), 
a host number (a number unique to each host on the network), and sometimes also a 
sub-net mask. 

IS: See Information Source. 

ISM: See Information Source Module. 

Unified Network Information Record (UNIR): A compact and efficient generic format 
in which network data is maintained and processed in XACCTusage. 
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